Welcome Mr Jitin Prasada as MOS IT

With the new cabinet of Modi 3.0 announced, it is heartening to note that Mr Ashwini Vashnav continues to be the minister for IT along with Railways and Information and Broadcasting. Digital publishing being a major part of Meity’s regulations, it is good that I&B ministry has been combined with MeitY at the level of the minister.

The MOS of IT Mr Rajev Chandrashekar unfortunately lost his election narrowly in Tiruvananthapuram against Mr Shashi Tharoor and will be missed for continuity. We wish Rajeev Chandrashekar all the best in his next stint as a party worker either in Kerala or in Bangalore which he represented in the Rajya Sabha.

In place of Mr Mr Rajeev Chandrashekar, we have now Mr Jitin Prasada as the new minister of state for IT.

A product of Doon School Dehradun and an MBA from International Management institute in New Delhi, Jitin Prasada recently served as a Minister in the UP state Government as Minister of Technical Education for 2 years.

We hope under the guidance of Mr Ashwin Vaishnaw, he would ensure that the projects of MeitY are implemented without any slackness.

Naavi

Posted in Uncategorized | Leave a comment

Section 65B is now Section 63

Section 65B of Indian Evidence Act (IEA) was a very important amendment made to the age old Indian Evidence Act 1872 consequent to the passing of Information Technology Act 2000 (ITA 2000) notified on 17th October 2000.

This section provided the means of bringing electronic evidence as an admissible evidence in a Court of law and Naavi.org has discussed this several times in the last 20 years. Naavi even published an E Book on the topic (Which is now due for revision).

Now with the passage of the Bharatiya Sakshya Adhiniyam 2023 (BSA 2023) which has been notified for effectiveness on 1st July 2024 along with the new IPC and new CrPC., the section 65B of IEA will be replaced by Section 63 of BSA 2023 with similar provisions.

The objective of this article is to highlight the difference between Section 65B of IEA 1872 and Section 63 of BSA 2023. Section 65B of IEA had 5 sub sections and Section 63 of BSA also has 5 subsections along with a Schedule that prescribes a draft form of a certificate.

Naavi had presented the first Section 65B certificate in any Indian Court in the case of Government of Tamil Nadu vs Suhas Katti in AMM Egmore in 2024 which resulted in a successful conviction of the accused. Subsequently Naavi has provided many such certificates. Till 2012 when Supreme Court came out with the famous Basheer Judgement, views of Naavi were not being accepted by a part of the community but the Basheer judgement cleared most of the doubts prevalent in the market.

However there was no uniformity on the format in which the certificates were provided and all sorts of certificates might have been provided and accepted by the Courts.

Now the Section 63 of BSA clears most of the doubts and has brought some clarity. At the same time it might introduce some additional questions which need to be clarified by domain experts. An attempt has been made below to explain the thoughts of Naavi in this regard.

Let us now analyse this section in depth.

Section 63 of BSA 2023 Vs Section 65B of IEA:

Admissibility of Electronic Records

Section 63 of BSA 2023Section 65B of IEA 1872 (amended in 2000)
63 Admissibility of electronic records. –

(1) Notwithstanding anything contained in this Adhiniyam, any information contained in an electronic record which is printed on paper, stored, recorded or copied in optical or magnetic media or semiconductor memory which is produced by a computer or any communication device or otherwise stored, recorded or copied in any electronic form (hereinafter referred to as the computer output) shall be deemed to be also a document, if the conditions mentioned in this section are satisfied in relation to the information and computer in question and shall be admissible in any proceedings, without further proof or production of the original, as evidence or any contents of the original or of any fact stated therein of which direct evidence would be admissible.
65B. Admissibility of electronic records. ––
(1) Notwithstanding anything contained in this Act, any information contained in an electronic record which is printed on a paper, stored, recorded or copied in optical or magnetic media produced by a computer (hereinafter referred to as the computer output) shall be deemed to be also a document, if the conditions mentioned in this section are satisfied in relation to the information and computer in question and shall be admissible in any proceedings, without further proof or production of the original, as evidence or any contents of the original or of any fact stated therein of which direct evidence would be admissible

It is important to note that this subsection defines what is a “Computer Output” to which the other subsections of Section 63/65B applies. According to the section information contained in an electronic record is referred to as “Computer output” and it can be either “Printed on paper” or “Stored” pm an optical media or magnetic media or semi conductor memory.

In ITA 2000, a document printed out of a computer or binary documents that are processed by a computer are all considered electronic documents and hence the word “Electronic Record” includes such documents even if it is not mentioned.

The critical aspect of the section is that such a Computer output when produced as per this section “Shall” be admissible in the proceedings without the production of the original. The judiciary does not have a discretion not to admit an electronic document unless some lacuna in the process of certification is brought to its notice. Hence this section will be widely debated in all future discussions in the Court involving electronic documents as evidence.

Overall considering the effect of this sub section, there is no difference between the wo versions of the sub section 1.

The next sub section 63(2) and 65B(2) compare as follows.

(2) The conditions referred to in sub-section (1) in respect of a computer output shall be the following, namely:—

(a) the computer output containing the information was produced by the computer or communication device during the period over which the computer or communication device was used regularly to create, store or process information for the purposes of any activity regularly carried on over that period by the person having lawful control over the use of the computer or communication device;

(b) during the said period, information of the kind contained in the electronic record or of the kind from which the information so contained is derived was regularly fed into the computer or communication device in the ordinary course of the said activities;

(c) throughout the material part of the said period, the computer or communication device was operating properly or, if not, then in respect of any period in which it was not operating properly or was out of operation during that part of the period, was not such as to affect the electronic record or the accuracy of its contents; and

(d) the information contained in the electronic record reproduces or is derived from such information fed into the computer or communication device in the ordinary course of the said activities.  
(2) The conditions referred to in sub-section (1) in respect of a computer output shall be the following, namely: ––
(a) the computer output containing the information was produced by the computer during the period over which the computer was used regularly to store or process information for the purposes of any activities regularly carried on over that period by the person having lawful control over the use of the computer;
(b) during the said period, information of the kind contained in the electronic record or of the kind from which the information so contained is derived was regularly fed into the computer in the ordinary course of the said activities;  
(c) throughout the material part of the said period, the computer was operating properly or, if not, then in respect of any period in which it was not operating properly or was out of operation during that part of the period, was not such as to affect the electronic record or the accuracy of its contents; and
(d) the information contained in the electronic record reproduces or is derived from such information fed into the computer in the ordinary course of the said activities

We may observe here that the word” Or Communication device” has been added in the section so that mobile data is clearly within the purview of the section. This was also redundant but clarity is welcome.

Since sub section (1) speaks of “Computer output” the sub section (2) should be attributed to the “Computer Output”. Hence the device referred to in this sub section refers to the computer from which the “Computer Output” is produced. Since “Computer Output” could also be a “Stored” or “Copied” version, the computer device referred to in the sub section (2) should be considered as referring to that computer in which the “Computer Output” was stored or copied and from which the evidence is being extracted.

This interpretation is important since in the cases of documents on the web some people will argue that the hosting operations need to be certified as “working properly” etc., which is incorrect and infeasible. If Mr X is using his computer K to generate the “Computer Output” then K is the device whose owner is relevant for this section and K needs to be working properly etc.

Generating of a “Computer Output” is an activity such as “Printing out”, “Storing”, “Making a copy in a media” etc and the period referred to here is the period of creating such an output. If the print out is a 10 year Bank statement, it is not necessary that it is to be certified that the computer was working properly for 10 years.

Sub section 63(3) is slightly differently worded than 65B(3) though the objective of both is to ensure that a computer output created by a combination of computers such as a Server and a Client etc is within the definition of the section.

The section states as follows:

(3) Where over any period, the function of creating, storing or processing information for the purposes of any activity regularly carried on over that period as mentioned in clause (a) of sub-section (2) was regularly performed by means of one or more computers or communication device, whether—
(a) in standalone mode; or
(b) on a computer system; or
(c) on a computer network; or (d) on a computer resource enabling information creation or providing information processing and storage; or
(e) through an intermediary,
all the computers or communication devices used for that purpose during that period shall be treated for the purposes of this section as constituting a single computer or communication device; and references in this section to a computer or communication device shall be construed accordingly.  
(3) Where over any period, the function of storing or processing information for the purposes of any activities regularly carried on over that period as mentioned in clause (a) of sub-section (2) was regularly performed by computers, whether––
(a) by a combination of computers operating over that period; or
(b) by different computers operating in succession over that period; or
(c) by different combinations of computers operating in succession over that period; or
(d) in any other manner involving the successive operation over that period, in whatever order, of one or more computers and one or more combinations of computers, all the computers used for that purpose during that period shall be treated for the purposes of this section as constituting a single computer; and references in this section to a computer shall be construed accordingly.

It is interesting to note that Section 63 provides a clarity that even if part of the process of producing a computer output involves a different legal entity which is an “Intermediary”, it is considered as a valid document created by the subject computer owner. During this process the document leaves the custody of the subject computer owner, gets processed outside and returns back.

This operation of processing through an intermediary involves “transmission of data out”, “Storage in the intermediary resources”, “Processing in intermediary resources” and “Re-transmission back to the subject computer owner”. It is difficult to accept the integrity of the document processed with the intermediary except with a “Certificate from the Intermediary” that the data received, processed and re-transmitted has not modified the evidentiary value of the electronic record.

In other words the Intermediary has to provide his own “certificate” as an agent of the subject computer owner as part of his data processing network. The drafting of this aspect is therefore open to interpretation which may be disputed and requires a future clarification from the Supreme Court.

For the time being the Jurisprudential advice from us would be that

“Where the processing of the computer output involves computers owned by multiple owners, the owner who presents the evidence must hold confirmatory certificates from the other sub processors that during the processing of data at their end, the material value of the evidentiary content has not been altered”.

For this purpose the sub processor may be called to the Court for evidence or may submit the details of the tool and how it processes the data in the form of a certified document.

The next most important section is Section 65B(4) or Section 63 (4) which speaks of the manner in which certificate has to be issued.

(4) In any proceeding where it is desired to give a statement in evidence by virtue of this section, a certificate doing any of the following things shall be submitted along with the
(a) identifying the electronic record containing the statement and describing the manner in which it was produced;
(b) giving such particulars of any device involved in the production of that electronic record as may be appropriate for the purpose of showing that the electronic record was produced by a computer or a communication device referred to in clauses (a)to (e) of sub-section (3);
(c) dealing with any of the matters to which the conditions mentioned in sub-section (2) relate, and purporting to be signed by a person in charge of the computer or communication device or the management of the relevant activities (whichever is appropriate) and an expert shall be evidence of any matter stated in the certificate; and for the purposes of this sub-section it shall be sufficient for a matter to be stated to the best of the knowledge and belief of the person stating it in the certificate specified in the Schedule.  
(4) In any proceedings where it is desired to give a statement in evidence by virtue of this section, a certificate doing any of the following things, that is to say, ––
(a) identifying the electronic record containing the statement and describing the manner in which it was produced;
(b) giving such particulars of any device involved in the production of that electronic record as may be appropriate for the purpose of showing that the electronic record was produced by a computer;
(c) dealing with any of the matters to which the conditions mentioned in sub-section (2) relate, and purporting to be signed by a person occupying a responsible official position in relation to the operation of the relevant device or the management of the relevant activities (whichever is appropriate) shall be evidence of any matter stated in the certificate; and for the purposes of this subsection it shall be sufficient for a matter to be stated to the best of the knowledge and belief of the person stating it.

This sub section defines the contents of the Certificate and how it is to be issued.

The certificate needs to contain the “Identity of the electronic record”, “Particulars of the devices involved in its production” and “Signed by the person in charge of the computer” and an expert. A copy of such certificate is provided in the schedule also.

The persons who have drafted this sub section have considered that the “Person in charge of a computer” and the “Expert” are two different persons. When this is looked at along with the earlier sub section related to an “Intermediary”, it is possible to interpret that certificate is required by the “Intermediary” also which is not ordinarily feasible.

We should therefore jurisprudentially interpret that certificate is required only from the owner of the computer from which the computer output was produced and will be supported by a “Declaration” that the owner believes that the processing at the hands of the intermediary has not materially altered the evidentiary value of the document.

The sub section uses a terminology “an Expert”. Fortunately it does not use the term “The expert”. In case the words “The expert” had been used, it would have introduced a confusion with the Section 79A expert. “An Expert” means any other person with necessary expertise.

The copy of the certificate template as given in the schedule is as follows:

It is observed that the “Computer Output” in the form of a print out may not have a hash value of its own and the hash value stated here should be considered as referring to the original from which the print out was taken. This means that the electronic document should be first saved as a document in the media for the purpose of calculating the hash value. Whoever drafted this was not fully aware of the implications of this suggestion and hence we need to develop a work around for this. The “Expert” should either store one electronic version of the document which is printed out or state that since the computer output is in the form of a paper document, the hash value refers to the scanned copy of the print out.

The last sub section namely 63(5) refers to a context where the subject computer device from which the evidence is extracted and certified may itself get the feed from another computer. It is not necessary that it should originally be produced by the computer itself.

This sub section states as follows:

(5) For the purposes of this section,—
(a) information shall be taken to be supplied to a computer or communication device if it is supplied thereto in any appropriate form and whether it is so supplied directly or (with or without human intervention) by means of any appropriate equipment;  
(b) a computer output shall be taken to have been produced by a computer or communication device whether it was produced by it directly or (with or without human intervention) by means of any appropriate equipment or by other electronic means as referred to in clauses (a) to (e) of sub-section (3).
(5) For the purposes of this section, –– (a) information shall be taken to be supplied to a computer if it is supplied thereto in any appropriate form and whether it is so supplied directly or (with or without human intervention) by means of any appropriate equipment; (b) whether in the course of activities carried on by any official, information is supplied with a view to its being stored or processed for the purposes of those activities by a computer operated otherwise than in the course of those activities, that information, if duly supplied to that computer, shall be taken to be supplied to it in the course of those activities; (c) a computer output shall be taken to have been produced by a computer whether it was produced by it directly or (with or without human intervention) by means of any appropriate equipment. Explanation.––For the purposes of this section any reference to information being derived from other information shall be a reference to its being derived therefrom by calculation, comparison or any other process.]

This subsection provides a possible solution to the problem of obtaining a certificate of assurance from the sub processors that when the evidentiary computer output is produced in multiple computers owned by different owners.

The observation is that after the processing by the sub processor, a final version is back with the subject computer owner. If the certificate is produced for the “As is where is version of the electronic document”, it may be possible not to insist on the assurance certificates from the previous processors.

As an example, let us say there is a document D1 with Mr X in a Computer K. This is sent to an intermediary M who returns a version of the document D2.

Now the document provided for evidentiary purpose may be either D1 or D2.

D1 may be in a format that is not easily readable and hence converting it to D2 may be essential.

The question that arises is whether M should be considered as an intermediary and if so how should we account for the change of D1 to D2 and possible implication on the integrity of the evidence.

In the earlier paragraph we suggested that we can take the certificate of assurance from M that the evidentiary integrity of D1 has not been altered in D2. (eg: D1 is an image which is compressed into D2 and no other change is made).

In view of the 63(5) an alternative exists to avoid the need for the certificate from the intermediary.

We may consider that D2 is the evidentiary document provided to the Court and earlier processing is not under the control of the person who owns the computer and produces D2 as evidence with necessary certification.

The experts who provide Section 63 certificates need to therefore incorporate these description of how the document originated in the annexure to the certificate using the scheduled format as a covering certificate.

To sum up, there is a fresh requirement of experts and lawyers to understand Section 63 of Bharatiya Sakshya Adhiniyam and for Judges also to appreciate the points mentioned above.

I am certain that the above discussion is the first such discussion on the section and there will be many more discussions and seminars in which this will be discussed till one day the Supreme Court also understands it and puts it into one of its judgements.

Naavi in the meantime continue to use the thoughts provided here to issue certificates if required. (P.S: At present Naavi has stopped issuing Section 65B certificates due to his pre-occupations with DPDPA related activities).

Naavi

Posted in Uncategorized | Leave a comment

Discuss DPDPA 2023 and ITA 2000 with Naavi

BSPIN and FDPPI has jointly organized an online Fire Chat discussion today at 10.00 am on DPDPA 2023 and ITA 2000.

This image has an empty alt attribute; its file name is 2d9fb328-3915-43a9-9ad3-a7fdf89e6dfc-1.jpg

Registration can be done here

On request, attendees will be issued participation certificate with 2 hours CPE credit. Attendees will also get a 20% discount on the book “Privacy Guardians…”

Naavi

Posted in Uncategorized | Leave a comment

IDPS 2024 to be held on November 22,23 and 24

FDPPI is pleased to announce that the flagship event of FDPPI namely IDPS 2024 has been scheduled for November 22, 23 and 24 of 2024.

The program will be virtual and live between 3.00 pm to 9.00 pm. This will cover the Indian and EU time

From 10.00 am to 1.00 pm, pre-recorded videos would be available to cover the US time.

The general theme of the seminar would be “Privacy issues in AI and Robotics, The Law, Technology and Governance”.

Details of individual sessions and speakers are being finalized.

Request all professionals to mark the dates in their calendars.

Any corporate which wants to participate in the conference as sponsor or virtual exhibitor of their products may contact FDPPI.

Naavi

Posted in Uncategorized | Leave a comment

Mission DPDPA: Prices for Certificate Courses made more affordable

FDPPI along with Naavi has embarked on a mission to spread DPDPA awareness amongst the public as well as professionals.

As part of this objective, FDPPI has revised its pricing strategy for the courses on Certified Data Protection Professional from the fixed Course fee payment to a time based subscription model.

The new scheme essentially enables those who are focussed on completing the course to complete the course on a fast track basis at a relatively low cost. Students can take subscriptions to different courses for a 2 month period which can be extended if required.

Further, students would be having the option to book “Mentor Sessions” where they will have a virtual real time interaction with the faculty to get clarifications after going through the video lessons.

In the past, since the access to the course modules was available for an indefinite period, there was no incentive to complete the course quicky and students tended to take upto 6 months for a course which they should normally complete within a month. The new system therefore fixes the subscription at 2 months which is extendable in blocks of further two months.

The two month subscription for different courses as a Self paced access are as follows: (GST Extra).

CourseFees for first 2 months
(Rs)
Fees for Renewal for
further 2 month block
(Rs)
Fees for Mentor Sessions of 90 minutes
1Certificated Cyber Law Professional (Based on ITA 2000/8)300015001500
2Certified Indian Data Protection Professional (Based on DPDPA 2023)400020002000
3Certified Global Data Protection Professional (Based on GDPR, CPRA HIPAA)500025002000
4Certified DGPMS Implementor (Based on Digital Governance and Protection Management System for India)600030002000
5Certified Data Protection Officer and Data Auditor (Based on compliance of DPDPA, ITA 2000 and proposed BIS standard of Data Protection)1500075002500

As a further commitment to spread the DPDPA professional knowledge and skills, every month, 5 students would be provided a discount of 30% over the above market price for first two months.

Additionally, for those who register for the courses before the rules are notified, one free virtual session of around 2 hours would be provided as a bridging session to update them on the rules.

Reading material would be provided in softcopy form for all the courses.

Examination and Certification

All participants will be provided participation certificate after they clock at least 90% of the video time for the course and a quiz.

Those who would like to opt for C.DPO.DA. certification need to pass an online examination. The examination fee for those who attend the C.DPO.DA. course as above would be Rs 10000/-

However open entry would be provided to professionals who may not undergo the training program at an examination fee of Rs 25000/-

Repeat examination fee would be Rs 6000/-

The passing of the examination would be based on a system of normalization and relative scoring. The decision of FDPPI in this regard is final and not subject to debate.

Naavi

Posted in Uncategorized | Leave a comment

Mission DPDPA: Let us Make it Happen

FDPPI has been working along with Naavi to empower the Data Protection Community in India with Certification programs, the Compliance Framework and other activities.

With the impending notification of DPDPA rules, it is time to accelerate the activities of FDPPI on a mission mode and hence FDPPI is joining hands with Naavi.org in this mission DPDPA as a Co-sponsor.

Details of the mission are available here

The seven major steps towards this mission are

  1. Spread the knowledge of what are the Rights and Duties of Citizens under DPDPA 2023 amongst the general public including students and faculty of Law, Engineering, Management.
  2. Spread the knowledge of what are the compliance requirements under DPDPA 2023 by organizations including the Directors, CxOs and others.
  3. Provide tools of empowerment of individuals through Certification Programs
  4. Provide tools of empowerment to organizations through a framework for compliance along with a system of third party audit, assessment and conformity assurance certificates.
  5. Provide Jurisprudential suggestions to the Government through Policy Advisories placed in the public domain.
  6. Encourage different industry sectors to develop self regulatory guidelines and work towards acceptable sectoral guidelines.
  7. Encourage tech developers to adopt “Compliance by Design” and incorporate DPDPA 2023 compliance when products and services are designed including tools to assist others to be compliant such as AI tools and Governance support software systems.

These are the minimum objectives of the mission and could expand.

Posted in Uncategorized | Leave a comment

Special Mass Drive for Virtual Awareness training

As the D-Day for publication of rules for DPDPA 2023 is approaching, FDPPI has decided to run a special awareness building program on DPDPA 2023, Global Data Protection Laws and Certified DPO and Data Auditor.

The objective of this campaign is to ensure that we reach out to a large number of professionals aspiring to learn about DPDPA 2023 as a law and prepare themselves to be the next generation professionals such as DPOs in India and Data Auditors.

Over the next few months, there will be several in house physical training programs which will be customised to the requirements of different organizations which will be separately priced, This new campaign is meant for the “Virtual Online Sessions” based on recorded videos and pre-arranged real-time mentor sessions online.

Watch out for details.

Naavi

Posted in Uncategorized | Leave a comment

International information Security conference at Bangalore

On June 28, 2024, Bsides Bangalore is conducting its “Security Bsides Bangalore 2024” a premier cyber security conference in India, at Marriott, Whitefield, Bangalore.

FDPPI is a community partner for the event.

Bsides has been conducting such conferences each year and one can expect the following during the conference.

Keynotes & CXO Fireside chats
CxO Roundtables
Panel Discussions
Workshops & Trainings
Research Based Talks & Tech Talks
B5CTF & Wonder women CTF(Capture The Flag)
W3-CS Connect
Job Fair
Career & Resume Clinic
Live Hacking Villages
Tools Forge (showcase Innovation)
Excellence Awards Ceremony
Opportunity to Win Prizes
Exhibits
Limitless networking Opportunities

Interested persons can register here and also avail the discounts from the community discount code given above.

Register for conference: https://lnkd.in/dBbxkGzd
Register for trainings : https://lnkd.in/dAnrKnkg

For any queries please write to info@bsidesbangalore.in

Posted in Uncategorized | Leave a comment

Forthcoming events in FDPPI

FDPPI is organizing events on Compliance of DPDPA at multiple centers for different audience.

Since January, one day events were held in Pune, Mumbai, Ahmedabad and Kolkata.

Now the following events are planned.

13th April 2024: Hyderabad (CIOKLUB members only)

11th May 2024: Delhi (CIOKLUB members only)

12th May 2024: Delhi (Open paid event)

18th May 2024 : Coimbatore (CIOKLUB members only)

The one day programs will cover DPDPA law and Implementation through DGPSI framework.

Interested persons who would like to attend the May 12tth event may contact FDPPI. Any other organization which may like to conduct programs for their members may also contact FDPPI.

Naavi

Posted in Uncategorized | Leave a comment

MOU with iLET Solutions

An MOU was signed between the training partner of FDPPI, (Cyber Law College, division of Ujvala Consultants Pvt Ltd)) and iLET Solutions Private Limited, an e-Learning platform to provide Learning Management solutions for the different online training programs conducted by Cyber Law College.

Mr Ashok Kini, partner Klickstart Solutions and Director FDPPI (Chapter Activity Coordination Committee) and Suresh Balepur, President Bangalore Chapter of FDPPI were present during the occasion.

iLET Solutions was founded in 2018 and offers a wide range of blended learning courses for talent development and enrichment across all age groups. 

Mr Mayank Jaiswal, the Co-Founder and Director executed the MOU which enables FDPPI and Cyber Law College to host the Certification programs on the platform under the URL “Learnwyse.com” .

ILET will also host “Jnaana Bhandar” which is the video repository of FDPPI events which is part of the continuing education of the members. FDPPI will launch the “Jnaana Bhandar” as part of its “Content Membership” program where professionals can subscribe to the different videos produced during FDPPI knowledge sessions and events which should be useful reference information.

Naavi

Posted in Uncategorized | Leave a comment